[WEB SECURITY] security audit - how to avoid legal prosecution

Aiken, Dan AikenD at HSS.EDU
Wed Jun 8 11:03:46 EDT 2005


The difference between a hacker and a security consultant is PERMISSION!
Always, repeat ALWAYS, get permission IN WRITING before doing any active
penetration testing of any network. Respected figures in IT have lost
their jobs or been sent to prison for not getting written permission
before doing pen testing.

Dan Aiken, GSEC, GSNA
Corporate Compliance Director
Hospital for Special Surgery
535 East 70th Street
New York, NY  10021
(212) 774-2569
aikend at hss.edu
"In theory there is no difference between theory and practice. In
practice there is." Yogi Berra, quoted by Bruce Schneier in Secrets &
Lies, p.8.

The opinions expressed in this message are the author's own and not
necessarily those of Hospital for Special Surgery.


-----Original Message-----
From: Maxim Kostioukov [mailto:maxim at francoudi.com] 
Sent: Wednesday, June 08, 2005 10:01 AM
To: webappsec at securityfocus.com; websecurity at webappsec.org
Subject: [WEB SECURITY] security audit - how to avoid legal prosecution


Would someone advise on how to approach in sense of legal agreements
BEFORE doing any security research?

For example, one is doing penetration tests on web apps without a
written agreement or even worse - without the other side to be aware of
the test, then informs the side about findings (not disclosure them
publicly). 

Any chance for legal prosecution to be fired in case if the other side
just would like to do this? I think it is possible... Any advice?

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list